You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Solution:
You can manually sanitize each parameter.
log.info("User " + val.replaceAll("[\r\n]","") + " (" + userAgent.replaceAll("[\r\n]","") + ") was not authenticated");
You can also configure your logger service to replace new line for all message events. Here is sample configuration for LogBack using the replace function.
%-5level - %replace(%msg){'[\r\n]', ''}%n
Finally, you can use a logger implementation that replace new line by spaces. The project OWASP Security Logging has an implementation for Logback and Log4j.
and additionally replacing the values:
logger.warn(s"some text ${someInteger.toString.replaceAll("[\r\n]", "")} more text")
I still keep getting CRLF_INJECTION_LOGS errors.
Note, I am using scala.
The text was updated successfully, but these errors were encountered:
Once, you have configured LogBack, you need to disable the rule "CRLF_INJECTION_LOGS".
At the moment, Find Security Bugs is not able to analyze other files than the class files (spotbugs/spotbugs#186).
Even when setting
in log4j properties section as recommended by
and additionally replacing the values:
logger.warn(s"some text ${someInteger.toString.replaceAll("[\r\n]", "")} more text")
I still keep getting
CRLF_INJECTION_LOGS
errors.Note, I am using scala.
The text was updated successfully, but these errors were encountered: